Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alex-
Leader Leader
Leader
Jump to solution

Enabling Anti-Phishing on R81.20 VSX without Internet interface

VSX R81.20 T24

I'm looking for the best way to et-up Anti-Phishing on VS's doing HTTPS Inspection but don't have a public interface, this is done by an upstream system.

Zero Phishing In-Browser protection is not working for HTTP sites (checkpoint.com) mentions that it's best practice to use a public IP for the FQDN, even if it's a dummy one and assign it to a disconnected interface.

Now the issue with VSX is that assigning an IP to a discrete disconnected interface will cause this IP to be monitored and the VS will go from Active/Standby to Active/Down.

Is it then recommended to still enable the interface and create a connectivity between the VSX cluster members for that IP.

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority

We had a similar use case in the past, need of a dummy interface. We  solved this with a new VLAN interface on an existing BOND. To get the interface up you have to configure the connected switchports with the same VLAN-ID, because they are monitored as you wrote. Normally only first and last VLAN on a trunk are monitored, you could use one in between without to be monitored . But for troubleshooting and some other interaction it's better to configure this like a normal, including the switch.

If you can't use a VLAN you can use a new physical interface but you have to connect these to a switch to get the link up or if only two gateways are used via a direct attached cable.

View solution in original post

4 Replies
G_W_Albrecht
Legend Legend
Legend

I would strongly suggest to contact TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Wolfgang
Authority
Authority

We had a similar use case in the past, need of a dummy interface. We  solved this with a new VLAN interface on an existing BOND. To get the interface up you have to configure the connected switchports with the same VLAN-ID, because they are monitored as you wrote. Normally only first and last VLAN on a trunk are monitored, you could use one in between without to be monitored . But for troubleshooting and some other interaction it's better to configure this like a normal, including the switch.

If you can't use a VLAN you can use a new physical interface but you have to connect these to a switch to get the link up or if only two gateways are used via a direct attached cable.

Alex-
Leader Leader
Leader

That's very correct, I used this method in the past for so-called loopbacks. The issue here is that  dummy public IP is required. Since it will be up if either connected with a port or bond VLAN, it will be redistributed in dynamic routing and will then require specific routemaps where we used a generic redistribute to announce connected networks. Also, I understand in the case of multiple VS we'll need on top of that to configure a dummy public IP and FQDN for each one. Not sure the customers will find this elegant.

0 Kudos
Wolfgang
Authority
Authority

I don‘t know your specific requirements. But as an idea….. you can create a new virtual firewall with the dummy public IP and a very simple policy (your AntiPhishing). Your outgoing traffic can be routed through these new system from the other VSs ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events